[Python-Dev] About "Coverity Study Ranks LAMP Code Quality"
Fredrik Lundh
fredrik at pythonware.com
Wed Mar 15 10:07:42 CET 2006
Martin v. Löwis wrote:
> > On the other hand, the exploit could be crafted based on reading the SVN
> > check-ins ...
>
> Sure. However, at that point, the bug is fixed (atleast in SVN);
> crackers need to act comparatively fast then to exploit it. OTOH, if
> only the report was available, the project might not take any action
> for some time, increasing the risk of an exploit.
it should also be mentioned that Python has an established procedure for
dealing with more serious security problems, and "go check it in" is not part
of that procedure.
(there's still a possibility that someone checks in a fix without realizing that
the original bug is an attack vector, but I don't think Coverity has discovered
anything like that in the Python code base; we're mainly talking about leaks
and null-pointer references here).
</F>
More information about the Python-Dev
mailing list